Patient Confidentiality Laws Philippines

§ 19 Not applicable. That. The above sections do not apply if the personal data processed is used solely for scientific and statistical research purposes. Personal data will remain strictly confidential and . used only for the stated purpose. Paragraph 20. Security of personal data. – (a) The controller shall implement appropriate and appropriate organisational, physical and technical measures to protect personal data against accidental or unlawful destruction, alteration and disclosure and against any other unlawful processing. b) The controller implements reasonable and appropriate measures to protect personal data against natural risks such as accidental loss or destruction and risks to humans such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. (c) In determining the appropriate level of security under this Section, account shall be taken of the nature of the personal data to be protected, the risks posed by the processing, the size of the organisation and the complexity of its operations, current data protection best practices and the cost of implementing security. Subject to guidelines issued from time to time by the Commission, the measures taken shall include: (1) security measures to protect its computer network from accidental, illegal or unauthorized use, or any disruption or obstruction of its operation or availability; (2) A security policy with regard to the processing of personal data; (3) a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks and for taking preventive, remedial and mitigating actions against security incidents that may result in a security breach; and (4) regular monitoring of security breaches and a process to take preventive, corrective and mitigation actions against security incidents that may result in a security breach. d) The controller shall also ensure that third parties processing personal data on its behalf implement the security measures required by this provision. e) Employees, representatives or representatives of a controller involved in the processing of personal data shall treat and process personal data in strict confidentiality if the personal data are not intended to be disclosed.

This obligation shall continue after the termination of the civil service, the transfer to another employment or the termination of the employment or contractual relationship. (f) the controller informs the Commission and the data subjects without undue delay if it can reasonably be assumed that sensitive personal data or other information which could be used in the circumstances to enable identity theft have been obtained from an unauthorised person and the controller or the Commission considers that: such an unauthorised acquisition is likely to result in a real risk of serious harm to a data subject. The notification shall describe at least the nature of the breach, the sensitive personal data likely to be affected and the measures taken by the organisation to remedy the breach. Notification shall be delayed only to the extent necessary to determine the extent of the breach, prevent further disclosures or restore the proper integrity of the information and communication system. 1. In assessing whether the notification is unjustified, the Commission may take into account the controller`s compliance with this Section and the fairness of the collection of personal data. 2. The Commission may exempt a controller of personal data from the notification obligation where such notification is not reasonably in the public interest or in the interest of data subjects. 3. The Commission may authorise a postponement of the notification where this could hinder the conduct of a criminal investigation into a serious crime. 1. 1987 Constitution of the Republic of the Philippines.

Bill of Rights. www.gov.ph/constitutions/the-1987-constitution-of-the-republic-of-the-philippines/. Retrieved 15 November 2014. “Right to privacy and confidentiality – The patient has the right to privacy and protection from unwarranted advertising. The right to privacy includes the right of the patient not to be exposed to private or public exposure, through photographs, publications, video recordings, discussions or any other means that otherwise tends to expose his person and identity and the circumstances in which he or she has been, is or will undergo medical or surgical treatment. All information that identifies a patient`s health, health, diagnosis, prognosis and treatment, as well as all other information of a personal nature, must remain confidential even after death. provided that descendants have a right of access to information informing them of the risks to their health. All identifiable patient data must also be protected. Data protection must be adequate in relation to the way it is stored. Human substances from which identifiable data can be derived must also be protected. Institutions such as PHILHEALTH and other accreditation agencies (eg. ICO, JCIA) did not wait for the signing of the Patients` Bill of Rights and demanded that the same rights be communicated to the patient in official training material.